Security Vendors Stumping For Certification

Saying companies like Cisco, Symantec and McAfee are making claims
they can't back up, four vendors ask them to prove it through certification.

SHARE

SHARE

WEBINAR:On-Demand

Learn How a Virtual Networking Approach Can Strengthen the Security of Federal Networks REGISTER >

Four application security vendors are challenging some of the biggest names in the security industry to put their money where their mouth is about secure products.

Teros, NetContinuum, Imperva and F5 Networks issued a challenge to Cisco , Juniper Networks , McAfee , Check Point Software and Symantec to certify their products are as good at rooting out application-level vulnerabilities as they've claimed.

Officials said that, according to a Gartner Group research paper,
application-level attacks make up to 70 percent of all attacks on the
network. Those attacks, officials say, go right at the Web applications tied to the back-end systems that house personal information and confidential data.

Greg Smith, director of product marketing for Teros, said the good news is that security administrators are beginning to give application-level attacks attention, while checking claims made by some of the bigger security vendors about the ability of their products to detect and restrict application-level malware .

"We believe these claims are exaggerated and even misleading to customers," he said.

As such, the four smaller vendors have set up a certification process, administered by ICSA Labs, which will prove Symantec, Juniper, Cisco, McAfee and Check Point all meet the minimum levels of application security. Letters went out to the CEOs and executives at the companies last week with the challenge to take the $8,000 certification test by Nov. 22.

Application-level vulnerabilities occur on a different level of the OSI Model than network-based attacks and need to be handled separately. While attacks on both layers have similar methods, for example DDoS attacks , application-level attacks have their own lexicon: SQL injecting, cross-site injecting and cookie poisoning to name a few.

Officials point to some of the following claims from the four network security vendors they say are unfounded:

"To defend networks from a wide variety of application layer attacks
and give businesses more control over applications/protocols in their
environments, [Cisco's[ inspection engines combine extensive
application/protocol knowledge with a variety of security enforcement
technologies..." -- Cisco

Officials at Cisco confirmed they had received the letter from the four
vendors and is evaluating whether they will test their products, but
wouldn't comment on the claims made by the four vendors.

"We recognize the value of industry-wide testing opportunities and carefully
review and evaluate every opportunity Cisco's invited to," said Amy Hughes,
a spokesperson for Cisco. Comment from Symantec and other vendors involved were not immediately available.

Smith maintains that while three of the four vendors are startups (Teros,
NetContinuum and Imperva), this isn't a ploy to grab attention.

"We didn't set the objective targeting the big guys simply to create more
noise or more press coverage," he said. "We looked at who we thought was
creating confusion in the marketplace and these are the five vendors, when
we compared and talked to our sales force and we saw where the confusion was
stemming from and we looked at where the claims were coming from, it boiled
down to these five."

According to the Yankee Group, application security will grow to be a $2 billion market in the next five years, as the number of vulnerabilities targeting applications grows proportionately.

"Web applications often link directly to sensitive business data, making them a prime target for hackers intent on stealing financial and identity data," said Jim Slaby, Yankee Group senior analyst, in a statement. "Open initiatives by vendors to self-regulate their industry benefit customers by helping establish minimum baselines for comparing security products and sorting through sometimes confusing marketing messages."

The announcement came at the Computer Security Institute (CSI) conference, taking place in Washington, D.C., this week.